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McKinsey & Company, Inc. United Kingdom (“McKinsey”, “us”, “we”), an affiliate of 
McKinsey & Company, understands that your personal data is important. McKinsey may 
process your personal data in its capacity as a data controller. When we do so, we are 
committed to respecting your privacy and protecting your personal data, which is any 


information that is capable of identifying you as an individual. 


This Privacy Notice applies to McKinsey’s processing of UK Hospital Episode Statistics 
(HES) Data (the “Data”), access to which is provided to us by the Health and Social Care 
Information Centre (known as “NHS Digital”), and describes how we handle and protect 
your personal data in connection with our processing of the Data. 


CATEGORIES OF DATA WE PROCESS 


The Data are collected about you by NHS organisations as they provide services to you 
as a patient under their care or if you are an NHS survey respondent. The Data are 
collated, stored and managed by NHS Digital and shared with McKinsey for research and 
health system planning under UK Law. 


McKinsey processes these Data, which comprise personal data and sensitive personal 
data, including health data, racial or ethnic origin and religious or other beliefs. The Data 
comprise the national HES data set. This Data are collected on all hospital patients in the 
UK. The Data sets we process are pseudonymised so that it would be very difficult for 
McKinsey to identify you as an individual from the Data we process. 


OUR USE AND PURPOSES FOR PROCESSING THE DATA 


McKinsey processes the Data to carry out research for the purposes of providing NHS 
organisations with recommendations and advice relating to how they may improve the 
quality and efficiency of their services, such as processing Data in connection with the 
benchmarking and analysis of hospital operational performance, utilization, and 
spending. 


The Data we process is pseudonymised. This means it would be very difficult for 
McKinsey to identify you as an individual from the Data we process for the purposes of 


our research. 


The Data will only be used in the context of services provided by McKinsey to NHS 
organisations in England and will not be used for non-NHS (or social care) organisations 
or for organisations outside of England. McKinsey will not use the Data to engage in 
automated decision-making, including profiling. 


The Data, and the recommendations or advice resulting from the processing of the Data, 
will not be used (directly or indirectly) for sales or marketing purposes by McKinsey & 
Company, nor by any non-NHS organisation, and will only be used for the purposes 
outlined above. 


LAWFUL BASIS FOR PROCESSING THE DATA 


McKinsey has a lawful basis for processing the Data as we have a legitimate interest in 
providing our services to the NHS to identify where the NHS can improve the quality and 
efficiency of its services. 


To the extent that the Data include personal data revealing health, ethnicity or other 
sensitive personal data, we process it on the basis of our research purposes, which are in 
the wider public interest, to improve the quality and efficiency of NHS services for the 
benefit of NHS users in England. 


RECIPIENTS OF THE DATA 


Unless required to do so under US law, we will not share the Data with any person or 
organisation outside of England, nor with any person or organisation that is not an NHS 
or social care organisation. 


McKinsey will only share the resulting reports and outputs with the NHS organisations 


who have commissioned its services. 


INTERNATIONAL TRANSFERS 


Unless required to do so under US law, the Data are not transferred outside of the 
European Economic Area. 


RETAINING THE DATA 


McKinsey uses appropriate measures and safeguards to protect the security of the Data. 
We have access to three years’ historic Data which is then deleted on a rolling basis. We 

securely delete the oldest year of Data within four weeks after the next full year’s Data is 
received. 


YOUR INDIVIDUAL RIGHTS IN RELATION TO THE DATA 


NHS Digital, who manage the Data, organise and maintain an opt-out system which can 
be found here: (https://digital.nhs.uk/services/national-data-opt-out-programme). You 


can prohibit the use of your information for research and planning through this opt-out 


programme. 


In some circumstances you may also have other rights respecting the Data that NHS 
holds about you, including the right to request access to the Data, the right to request its 
rectification, and the right to request its erasure. 


You may also have the right to lodge a complaint with the Information Commissioner’s 
Office as the competent data protection authority in England. 


CONTACT 


If you have any questions about this Privacy Notice, or our Privacy Policy, or if you would 
like to communicate with our EU Data Protection Officer or the Data Privacy Team, 
please contact us at: 


McKinsey & Company, 
Legal Department 


711 Third Avenue 
New York, NY 10017 
+1 212 446 7000 


privacy@mckinsey.com 


McKinsey reserves the right to modify this Privacy Notice. We will post any changes to 
our Privacy Notice on this page. Please check this page regularly to keep up-to-date. 


